1 / 19

Title

Title. FIVE. ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University. Reconcile 5 definitions of data integrity Scope is limited to data integrity as opposed to system integrity None of the definitions is “wrong” or “right”. OBJECTIVE.

walterlynn
Download Presentation

Title

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Title FIVE ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University

  2. Reconcile 5 definitions of data integrity Scope is limited to data integrity as opposed to system integrity None of the definitions is “wrong” or “right” OBJECTIVE

  3. 1. Courtney Expectation of data quality 2. Sandhu-Jajodia Safeguards against improper data modification 3. ITSEC, CTCPEC Safeguards against unauthorized data modification 4. Biba (or BLP) Ensure one directional information flow in a lattice 5. Network arena Safeguards against message modification THE FIVE DEFINITIONS more general less general

  4. 1. Expectation of data quality 2. Improper data modification 3. Unauthorized data modification 4. One directional information flow 5. No modification THE FIVE DEFINITIONS OBJECTIVES Liveness and Safety Safety Only

  5. 1. Expectation of data quality 2. Improper data modification 3. Unauthorized data modification 4. One directional information flow 5. No modification THE FIVE DEFINITIONS ENFORCEMENT IS PRIMARILY BY External actions of users + Internal actions of the TCB Internal actions of the TCB

  6. 1. Expectation of data quality 2. Improper data modification 3. Unauthorized data modification 4. One directional information flow 5. No modification THE FIVE DEFINITIONS POLICY Must be articulated by the System Owners Is built in

  7. 1. Expectation of data quality 2. Improper data modification 3. Unauthorized data modification 4. One directional information flow 5. No modification THE FIVE DEFINITIONS ENFORCEMENT MECHANISMS Prevention + Detection Detection

  8. THE DATA QUALITY DEFINITION Integrity -- The property that data, an information process, computer equipment, and/or software, people, etc., or any collection of these entities, meet an a priori expectation of quality that is satisfactory and adequate in some specific circumstance. Bob Courtney NIST Invitational Workshop on Data Integrity, 1989

  9. “THERMOSTAT MODEL”

  10. Binary view: Data has integrity if its actual state differs from the ideal state by less than the tolerable limits of deviation Graded view: Data has integrity in inverse relationship to the extent that its actual state differs from the ideal state BINARY OR GRADED? IN OTHER WORDS THIS IS A NON-ISSUE

  11. CLARK-WILSON MODEL Internal and external consistency of CDIs USERS IVPs TPs CDIs UDIs

  12. C1 IVPs validate CDI state C2 TPs preserve valid state C3 Suitable (static) separation of duties C4 TPs write to log C5 TPs validate UDIs E1 CDIs changed only by authorized TP E2 Users authorized to TP and CDI E3 Users are authenticated E4 Authorizations changed only by security officer CLARK-WILSON RULES

  13. Concerned with improper modification of data Does not address liveness, except to require that “integrity verification procedures” verify correspondence of data to external reality It is one approach to meeting the “improper data modification” aspects of data integrity with a small liveness attachment CLARK-WILSON MODEL

  14. Type enforcement can be used to implement a number of mechanisms related to improper modification of data well-formed transformation procedures data encapsulation separation of duties assured pipelines Type enforcement does not directly support liveness requirements TYPE ENFORCEMENT(Boebert and Kain)

  15. HRU, TAM, SPM can be used to implement a number of mechanisms related to improper modification of data do not directly support liveness requirements OTHER ACCESS CONTROL MODELS

  16. “Integrity - Correctness and appropriateness of the content and/or source of a piece of information.” The Courtney and Federal Criteria definitions are close enough that they can be reconciled fairly easily Courtney's definition is more general, because it is phrased in terms of data quality, which is a more general notion than the specific attributes of correctness and appropriateness DRAFT FEDERAL CRITERIA

  17. By Courtney and Federal Criteria definitions this is an integrity violation (if we expect labels to be correct) DOES INTEGRITY SUBSUME SECRECY? Top Secret Contents Label: Secret

  18. Is this an integrity violation? HOMEWORK ASSIGNMENT Unclassified Contents Label: Secret

  19. John Dobson Carl Landwehr LouAnna Notargiacomo Marv Schaefer PANELISTS

More Related